]> git.baikalelectronics.ru Git - kernel.git/commit
ext4: limit length to bitmap_maxbytes - blocksize in punch_hole
authorTadeusz Struk <tadeusz.struk@linaro.org>
Thu, 31 Mar 2022 20:05:15 +0000 (13:05 -0700)
committerTheodore Ts'o <tytso@mit.edu>
Wed, 13 Apr 2022 02:24:35 +0000 (22:24 -0400)
commit6b26cbd2da8a5ac3d2df5f062adfcdb3daa8ead8
tree36b6ed4770cf4b6d47d45a33d178b87442d2e3e4
parent98ff64a95469fa287a776e33acd0134c0bea4881
ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

Syzbot found an issue [1] in ext4_fallocate().
The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul,
and offset 0x1000000ul, which, when added together exceed the
bitmap_maxbytes for the inode. This triggers a BUG in
ext4_ind_remove_space(). According to the comments in this function
the 'end' parameter needs to be one block after the last block to be
removed. In the case when the BUG is triggered it points to the last
block. Modify the ext4_punch_hole() function and add constraint that
caps the length to satisfy the one before laster block requirement.

LINK: [1] https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331
LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000

Fixes: 13d5647fc9ac ("ext4: enable "punch hole" functionality")
Reported-by: syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Link: https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
fs/ext4/inode.c